Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1488
Views
0
Helpful
5
Replies

setup single port exclusion for static NAT?

scottmlew
Level 1
Level 1

‎09-21-2012 02:44 PM - edited ‎03-11-2019 04:57 PM

I have been using static NAT to map between a single server behind an ASA 5505 and a single public IP address. In other words, I've been doing this:

object network NAT_ME

nat (inside,outside) static interface

Now I would like to start using the clientless VPN feature of the ASA, so I of course don't want that particular port forwarded to the server. Is there a way to define such an exclusion? I've tried several things, including setting up a separate NAT rule to direct that port back to the ASA's interface, without luck.

If that is not possible, what configuration would I need to move to in order to get the behavior that I want? It is important that all (non-VPN) traffic is passed exactly as it arrives at the firewall (whether it is coming from internal or external), with the exception of changing the IP address (i.e., I need static port mappings for some of my services).

Labels:
0 Helpful
5 Replies 5

Jennifer Halim
Cisco Employee
Cisco Employee

‎09-21-2012 02:52 PM

You are correct, you would need to configure static PAT instead of static NAT for your server.

Are the a lot of ports that you need to access from the internet for that server?

0 Helpful

scottmlew
Level 1
Level 1
In response to Jennifer Halim

‎09-21-2012 03:22 PM

Sadly, that's what I thought.

I seem to have that setup working now. I don't have that many ports, I suppose, but this just seems like a pretty clumsy way to do it.

It appears that the ASA is preserving the source port, even when I use "dynamic" -- is that correct?

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to scottmlew

‎09-21-2012 05:28 PM

What do you mean?

Which command did you configure the dynamic one?

If you are configuring static PAT, then it needs to be static, instead of dynamic. I am assuming that you are talking about a different configuration?

0 Helpful

scottmlew
Level 1
Level 1
In response to Jennifer Halim

‎09-21-2012 05:39 PM

Now I have a set of commands that looks like this (this is just a small excerpt):

object network OUTBOUND_NAT

host 10.0.0.10

object network ISA_EXCH

host 10.0.0.10

...

object network OUTBOUND_NAT

nat (inside,outside) dynamic interface

object network ISA_EXCH

nat (inside,outside) static interface service tcp https https

When I do this, even the NAT'd outbound traffic (handled by the "nat (inside,outside) dynamic interface") is having its source port preserved (which is good, it is what I want!). The Cisco docs confirm that this is the expected behavior, but many (most?) NAT solutions (at least that I've worked with) will not preserve the source port with dynamic NAT unless explicitly configured to do so.

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to scottmlew

‎09-23-2012 07:22 AM

Yes, you are right. With the new NAT, it was designed so it does preserve the source port.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card